It is all well and good to talk about how efforts are being made to bring “norms” to conflict in cyberspace, but proponents continue to forget that cyberspace doesn't care about the Peace of Westphalia. Political-Military leadership that cut its teeth during the Cold War default to what they know best and suppose we can secure the future if we look to the past. It is natural to try and frame new problems into familiar constructs, but the utility of such thinking ends in the classroom or salon: legacy futures will get us nowhere. Consider the recent revival of talk of cyber deterrence. The point of a strategic deterrence scheme is to make an attack unthinkable. “Unthinkable” means a lot more when the threat is atomic vice digital. Government and national interest systems are hacked regularly, yet for all the hullabaloo about the associated impact, life for most people soldiers on unaffected (something you could not say if we were talking nukes). In the short-term we have attribution in a meta sense, and justification to act in a correspondingly meta fashion. Not enough to justify a missile launch; not enough to spawn a Colin Powell-at-the-UN moment.
Let me know how that strongly worded demarche goes over.
The problem with traditional thinking around this topic is that that we’re not dealing exclusively with governments, and therefore it cannot be politics as usual. Some of the largest and most powerful actors in cyberspace are publicly traded and/or focused on profitability, not geopolitical dominance. Hegemony (a/k/a “market penetration”) is certainly a part of their strategy, but to the extent that such organizations practice politics, it is to find out what buttons to push, skids to grease, and functionaries to pay off, in order to achieve permission to sell: nothing more, nothing less.
Secondly, governments do not have an exclusive corner on the creation and projection of power in cyberspace the way they do in the physical world. Your average person cannot raise an army. In cyberspace, an average person with little capital investment and no political standing can acquire the skills necessary to steal vast sums of money, deny people’s access to resources, inhibit a government’s ability to provide services to its citizens, and otherwise do things that only the most powerful entities in meat-space can perform.
Finally, whatever shortcomings past control, monitoring, or counter-proliferation regimes had in the physical world seem trivial when compared to the complexity if not outright impossibility of doing so in a digital context. Computer science is not nuclear physics; you cannot build an atomic bomb by reading books in the library and tinkering in your basement; you most certainly can build a digital weapon by doing so. By extension you cannot keep track of all the tools, resources, and individuals associated with a digital “weapons program.” In reality, everyone with a computer and the intellectual capacity to write computer code is the next Oppenheimer, every computer lab in every college or high school is a potential Los Alamos, every computer science or engineering textbook an ITAR-controlled item.
/* It is at this point when someone gets the bright idea of starting up a ‘Cyber Manhattan Project’ to help kick-start better defenses…to which I channel my inner Inigo Montoya and respond: “I don’t think you know what the Manhattan Project actually did.” */
Next Week: A More Productive Way Forward